From 7234f2e65aa3c9ce841cd1b3ab07ddccaae4f2da Mon Sep 17 00:00:00 2001 From: Anthonios Partheniou Date: Tue, 26 May 2026 15:23:16 +0000 Subject: [PATCH 1/2] fix: require protobuf 6.33.5 to address CVE-2026-0994 --- packages/gapic-generator/.bazeliskrc | 2 +- packages/gapic-generator/WORKSPACE | 8 ++++---- packages/gapic-generator/gapic/ads-templates/setup.py.j2 | 2 +- .../%namespace/%name_%version/%sub/__init__.py.j2 | 8 ++++---- packages/gapic-generator/gapic/templates/setup.py.j2 | 2 +- .../templates/testing/constraints-3.10-async-rest.txt.j2 | 2 +- .../gapic/templates/testing/constraints-3.10.txt.j2 | 2 +- .../gapic/templates/testing/constraints-3.13.txt.j2 | 2 +- .../gapic/templates/testing/constraints-3.14.txt.j2 | 2 +- packages/gapic-generator/requirements.in | 2 +- packages/gapic-generator/setup.py | 2 +- 11 files changed, 17 insertions(+), 17 deletions(-) diff --git a/packages/gapic-generator/.bazeliskrc b/packages/gapic-generator/.bazeliskrc index 63f820260fa9..f7d5d8d41cfc 100644 --- a/packages/gapic-generator/.bazeliskrc +++ b/packages/gapic-generator/.bazeliskrc @@ -1,2 +1,2 @@ # See https://github.com/bazelbuild/bazelisk -USE_BAZEL_VERSION=6.5.0 +USE_BAZEL_VERSION=7.7.1 diff --git a/packages/gapic-generator/WORKSPACE b/packages/gapic-generator/WORKSPACE index 4da1de3cc7d4..67fb698ecd0f 100644 --- a/packages/gapic-generator/WORKSPACE +++ b/packages/gapic-generator/WORKSPACE @@ -60,9 +60,9 @@ gapic_generator_python() gapic_generator_register_toolchains() -_grpc_version = "1.71.0" +_grpc_version = "1.78.1" -_grpc_sha256 = "9313c3f8f4dd3341597f152d506a50caf571fe40f886e24ea9078891990df285" +_grpc_sha256 = "f9b1d9fe1648024150593efa077ee0f600f9823a21e9d618b4f304e6c09c9902" http_archive( name = "com_github_grpc_grpc", @@ -72,9 +72,9 @@ http_archive( ) # instantiated in grpc_deps(). -_protobuf_version = "30.2" +_protobuf_version = "33.5" -_protobuf_sha256 = "07a43d88fe5a38e434c7f94129cad56a4c43a51f99336074d0799c2f7d4e44c5" +_protobuf_sha256 = "440848dffa209beb8a04e41cc352762e44f8e91342b2a43aab6af9b30713c2f6" http_archive( name = "com_google_protobuf", diff --git a/packages/gapic-generator/gapic/ads-templates/setup.py.j2 b/packages/gapic-generator/gapic/ads-templates/setup.py.j2 index 1684c2de1a61..18d403195c07 100644 --- a/packages/gapic-generator/gapic/ads-templates/setup.py.j2 +++ b/packages/gapic-generator/gapic/ads-templates/setup.py.j2 @@ -34,7 +34,7 @@ dependencies = [ "googleapis-common-protos >= 1.53.0", "grpcio >= 1.10.0", "proto-plus >= 1.22.3, <2.0.0", - "protobuf >= 4.25.8, < 8.0.0", + "protobuf >= 6.33.5, < 8.0.0", {% if api.requires_package(('google', 'iam', 'v1')) %} "grpc-google-iam-v1", {% endif %} diff --git a/packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2 b/packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2 index c1e5c715cf71..497592654d20 100644 --- a/packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2 +++ b/packages/gapic-generator/gapic/templates/%namespace/%name_%version/%sub/__init__.py.j2 @@ -69,7 +69,7 @@ else: # pragma: NO COVER def parse_version_to_tuple(version_string: str): """Safely converts a semantic version string to a comparable tuple of integers. - Example: "4.25.8" -> (4, 25, 8) + Example: "6.33.5" -> (6, 33, 5) Ignores non-numeric parts and handles common version formats. Args: version_string: Version string in the format "x.y.z" or "x.y.z" @@ -98,9 +98,9 @@ else: # pragma: NO COVER return (None, "--") _dependency_package = "google.protobuf" - _next_supported_version = "4.25.8" - _next_supported_version_tuple = (4, 25, 8) - _recommendation = " (we recommend 6.x)" + _next_supported_version = "6.33.5" + _next_supported_version_tuple = (6, 33, 5) + _recommendation = " (we recommend 7.x)" (_version_used, _version_used_string) = _get_version(_dependency_package) if _version_used and _version_used < _next_supported_version_tuple: warnings.warn(f"Package {_package_label} depends on " + diff --git a/packages/gapic-generator/gapic/templates/setup.py.j2 b/packages/gapic-generator/gapic/templates/setup.py.j2 index b803e1b6df96..594ef5b09751 100644 --- a/packages/gapic-generator/gapic/templates/setup.py.j2 +++ b/packages/gapic-generator/gapic/templates/setup.py.j2 @@ -42,7 +42,7 @@ dependencies = [ "proto-plus >= 1.22.3, <2.0.0", "proto-plus >= 1.25.0, <2.0.0; python_version >= '3.13'", {# Explicitly exclude protobuf versions mentioned in https://cloud.google.com/support/bulletins#GCP-2022-019 #} - "protobuf >= 4.25.8, < 8.0.0", + "protobuf >= 6.33.5, < 8.0.0", {% for package_tuple, package_info in pypi_packages.items() %} {# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #} {% if api.naming.warehouse_package_name != package_info.package_name %} diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 index 3a1222949a04..2de356417a13 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 @@ -12,7 +12,7 @@ google-api-core==2.21.0 google-auth==2.35.0 grpcio==1.44.0 proto-plus==1.22.3 -protobuf==4.25.8 +protobuf==6.33.5 {% for package_tuple, package_info in pypi_packages.items() %} {# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #} {% if api.naming.warehouse_package_name != package_info.package_name %} diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 index eb8dc323f481..83e631bd8691 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 @@ -9,7 +9,7 @@ google-api-core==2.17.1 google-auth==2.14.1 grpcio==1.44.0 proto-plus==1.22.3 -protobuf==4.25.8 +protobuf==6.33.5 {% for package_tuple, package_info in pypi_packages.items() %} {# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #} {% if api.naming.warehouse_package_name != package_info.package_name %} diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.13.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.13.txt.j2 index c2e7b8a9934c..a2e0a3f4cb1e 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.13.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.13.txt.j2 @@ -10,7 +10,7 @@ google-api-core>=2 google-auth>=2 grpcio>=1 proto-plus>=1 -protobuf>=6 +protobuf>=7 {% for package_tuple, package_info in pypi_packages.items() %} {# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #} {% if api.naming.warehouse_package_name != package_info.package_name %} diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.14.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.14.txt.j2 index c2e7b8a9934c..a2e0a3f4cb1e 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.14.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.14.txt.j2 @@ -10,7 +10,7 @@ google-api-core>=2 google-auth>=2 grpcio>=1 proto-plus>=1 -protobuf>=6 +protobuf>=7 {% for package_tuple, package_info in pypi_packages.items() %} {# Quick check to make sure `package_info.package_name` is not the package being generated so we don't circularly include this package in its own constraints file. #} {% if api.naming.warehouse_package_name != package_info.package_name %} diff --git a/packages/gapic-generator/requirements.in b/packages/gapic-generator/requirements.in index 2a9d7bb2cdb7..2776bb919bb8 100644 --- a/packages/gapic-generator/requirements.in +++ b/packages/gapic-generator/requirements.in @@ -3,7 +3,7 @@ google-api-core googleapis-common-protos jinja2 MarkupSafe -protobuf>=4.25.8 +protobuf>=6.33.5 # for CVE-2026-0994. See https://github.com/advisories/GHSA-7gcm-g887-7qv7 and https://protobuf.dev/support/version-support/#python pypandoc PyYAML grpc-google-iam-v1 diff --git a/packages/gapic-generator/setup.py b/packages/gapic-generator/setup.py index 41c08ae8a4a9..84879cd36490 100644 --- a/packages/gapic-generator/setup.py +++ b/packages/gapic-generator/setup.py @@ -35,7 +35,7 @@ # https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.map # https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-0 "jinja2 >= 2.11", - "protobuf >= 4.25.8, < 8.0.0", + "protobuf >= 6.33.5, < 8.0.0", "pypandoc >= 1.4", "PyYAML >= 5.1.1", "grpc-google-iam-v1 >= 0.14.0, < 1.0.0", From 18cee87ee4c6f706a69b594753ab7a83dc17e76e Mon Sep 17 00:00:00 2001 From: Anthonios Partheniou Date: Tue, 26 May 2026 15:44:06 +0000 Subject: [PATCH 2/2] require google-api-core >= 2.24.2 for Protobuf 6.x compatibility --- packages/gapic-generator/gapic/ads-templates/setup.py.j2 | 2 +- packages/gapic-generator/gapic/templates/setup.py.j2 | 3 +-- .../templates/testing/constraints-3.10-async-rest.txt.j2 | 2 +- .../gapic/templates/testing/constraints-3.10.txt.j2 | 2 +- packages/gapic-generator/setup.py | 6 +++--- 5 files changed, 7 insertions(+), 8 deletions(-) diff --git a/packages/gapic-generator/gapic/ads-templates/setup.py.j2 b/packages/gapic-generator/gapic/ads-templates/setup.py.j2 index 18d403195c07..ae6ec4cbdad6 100644 --- a/packages/gapic-generator/gapic/ads-templates/setup.py.j2 +++ b/packages/gapic-generator/gapic/ads-templates/setup.py.j2 @@ -29,7 +29,7 @@ else: release_status = "Development Status :: 5 - Production/Stable" dependencies = [ - "google-api-core[grpc] >= 2.10.0, < 3.0.0", + "google-api-core[grpc] >= 2.24.2, < 3.0.0", "google-auth >= 2.14.1, <3.0.0", "googleapis-common-protos >= 1.53.0", "grpcio >= 1.10.0", diff --git a/packages/gapic-generator/gapic/templates/setup.py.j2 b/packages/gapic-generator/gapic/templates/setup.py.j2 index 594ef5b09751..fa6544c150a9 100644 --- a/packages/gapic-generator/gapic/templates/setup.py.j2 +++ b/packages/gapic-generator/gapic/templates/setup.py.j2 @@ -33,7 +33,7 @@ else: release_status = "Development Status :: 5 - Production/Stable" dependencies = [ - "google-api-core[grpc] >= 2.17.1, <3.0.0", + "google-api-core[grpc] >= 2.24.2, <3.0.0", # Exclude incompatible versions of `google-auth` # See https://github.com/googleapis/google-cloud-python/issues/12364 "google-auth >= 2.14.1, <3.0.0,!=2.24.0,!=2.25.0", @@ -55,7 +55,6 @@ dependencies = [ extras = { {% if rest_async_io_enabled %} "async_rest": [ - "google-api-core[grpc] >= 2.21.0, < 3.0.0", "google-auth[aiohttp] >= 2.35.0, <3.0.0" ], {% endif %} diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 index 2de356417a13..594e41fa2e20 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.10-async-rest.txt.j2 @@ -8,7 +8,7 @@ # pinning their versions to their lower bounds. # For example, if setup.py has "google-cloud-foo >= 1.14.0, < 2.0.0", # then this file should have google-cloud-foo==1.14.0 -google-api-core==2.21.0 +google-api-core==2.24.2 google-auth==2.35.0 grpcio==1.44.0 proto-plus==1.22.3 diff --git a/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 b/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 index 83e631bd8691..5889e94d48e3 100644 --- a/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 +++ b/packages/gapic-generator/gapic/templates/testing/constraints-3.10.txt.j2 @@ -5,7 +5,7 @@ # pinning their versions to their lower bounds. # For example, if setup.py has "google-cloud-foo >= 1.14.0, < 2.0.0", # then this file should have google-cloud-foo==1.14.0 -google-api-core==2.17.1 +google-api-core==2.24.2 google-auth==2.14.1 grpcio==1.44.0 proto-plus==1.22.3 diff --git a/packages/gapic-generator/setup.py b/packages/gapic-generator/setup.py index 84879cd36490..1abfda022244 100644 --- a/packages/gapic-generator/setup.py +++ b/packages/gapic-generator/setup.py @@ -28,9 +28,9 @@ # Ensure that the lower bounds of these dependencies match what we have in the # templated setup.py.j2: https://github.com/googleapis/gapic-generator-python/blob/main/gapic/templates/setup.py.j2 "click >= 6.7", - "google-api-core[grpc] >= 1.34.1, <3.0.0,!=2.0.*,!=2.1.*,!=2.2.*,!=2.3.*,!=2.4.*,!=2.5.*,!=2.6.*,!=2.7.*,!=2.8.*,!=2.9.*,!=2.10.*", - "googleapis-common-protos >= 1.55.0", - "grpcio >= 1.24.3", + "google-api-core[grpc] >= 2.24.2, < 3.0.0", + "googleapis-common-protos >= 1.55.0, < 2.0.0", + "grpcio >= 1.24.3, < 2.0.0", # 2.11.0 is required which adds the `default` argument to `jinja-filters.map()` # https://jinja.palletsprojects.com/en/3.0.x/templates/#jinja-filters.map # https://jinja.palletsprojects.com/en/2.11.x/changelog/#version-2-11-0